The forecasts for IoT are huge, with some pundits suggesting that there will be 50 billion devices connected by 2020. Whether or not these forecasts are correct, it is clear IoT is already gaining meaningful market momentum, buoyed by a seemingly endless array of applications for consumers enterprises and public services. Unfortunately, as these applications proliferate, they create a multitude of security vulnerabilities and attack surfaces, exacerbated by a variety of factors including:
Poor system designs that lack basic IT security measures, such as encryption and secure authentication. Commonly these poor designs reflect inadequate security skills and, in some cases, aggressive time to market demands among ecosystem players.
Integration with legacy systems not designed for secure connectivity.
Security vulnerabilities and associated attack surfaces increase as more devices are connected. This is particularly the case for IoT devices with limited computing capabilities that operate in unsupervised and hostile environments.
The stakes can be higher for the many IoT applications that interact with machines. This was clearly illustrated last year on prime-time television as viewers saw a Jeep Cherokee drive into a ditch after security researchers demonstrated how they could remotely disable its brakes.
IoT solutions commonly use proprietary and specialized standards to enable specific use cases and large scale deployments, and to integrate into legacy environments such as M2M. The security vulnerabilities of these proprietary and specialized standards are typically greater than those associated with mainstream standards.
To make matters more challenging, enterprises cannot protect themselves by banning IoT applications. Unfortunately, IoT applications are well suited to shadow IT implementations since they are increasingly embedded in connected infrastructure and are proliferating in a slew of consumer markets. As a result, enterprises must arm themselves with the necessary tools, procedures and expert support to address IoT security. Much of these efforts involves getting back to basics, including network assessments to identify and investigate the behavior of IoT device connections, and IoT device audits to ensure that they have trusted identities, encrypted traffic and safe software/firmware.
IoT is also well suited to advanced policy and heuristic-based security solutions. In particular, IoT devices tend to have narrowly defined functions that can be validated by policy enforcement platforms. For example, an IoT-connected device that monitors the temperature in a manufacturing plant should not accept temperature updates through a remote connection. Similarly, machine learning and artificial intelligence-based heuristics can be used to monitor the activities of IoT devices based on learned activity profiles. While both policy and heuristic based platforms are well suited for IoT security, they require regular maintenance to ensure that the implemented policies and learned behaviors are valid.
Since large-scale data breaches are on the increase, the stakes are potentially high for IoT systems that harbor confidential information. This is particularly important when protecting the privacy of individuals, commercial and national secrets, and regulatory compliance. For a growing number of IoT applications, stored data is increasingly becoming a liability and therefore there is growing interest in processing and filtering data at the IoT devices so that only the meta-data is stored. For example, a video surveillance solution might be used to classify highway traffic for a smart city application. Rather than storing the video streams for post processing, some solutions process the videos in real-time and store only the vehicle counts.
With the continued expansion of IoT solutions, IoT security vulnerabilities and attack surfaces will increase, and security breaches are inevitable. To reduce the incidence of these breaches, it is crucial that security becomes a core component of IoT design principles, which should include effective remediation for incidences when security is compromised.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.